Jackson's comments, commiserations, confabulations and simplifications on identity management and Microsoft's Active Directory all based on his continuous "reality tour" of meetings with customers, ISVs and Microsoft.

Monday, August 24, 2009

Privileged Identity Management

I read an interesting article on this topic recently and how it relates to databases. The article is a good read and I want to highlight some points that should apply to everyone working in IDM and particularly around PIM:

Even at an enormous firm, the number of privileged IDs with access to high-risk data should be short enough for a busy executive to personally review

It is both feasible and reasonable for senior executives to personally review this information and record that they have done so

Anyone can expect this kind of review may be taking place in any major organization handling high-risk data, although it is not as universal as it should be

Think about point #1 above and ask yourself if you would have a short list for your CIO/CISO to review at your company. I agree that the list should be extremely short and it should be reviewed by your management chain on a regular basis. As the author states, these reviews are not as universal as they should be. How about at your company?

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not represent those of my employer or anyone else for that matter. View this blog's privacy policy here.16 CFR § 255.5 disclosure: I am an employee of Quest Software.